Improper Validation of Syntactic Correctness of Input in Cisco IOS XE - CVE-2026-20114
Published: March 25, 2026
Vulnerability identifier: #VU124588
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-20114
CWE-ID: CWE-1286
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
Cisco IOS XE
Cisco IOS XE
Detailed vulnerability description
The vulnerability allows a remote user to escalate privileges and access management APIs that would not normally be available for Lobby Ambassador users.
The vulnerability exists due to improper validation of parameters in the Lobby Ambassador web-based management API when handling HTTP requests. A remote user can send a specially crafted HTTP request after authenticating as a Lobby Ambassador user to escalate privileges and create a new user with privilege level 1 access to the web-based management API.
Successful exploitation allows the attacker to access device management APIs with elevated privileges.
How to mitigate CVE-2026-20114
Install security update from vendor's website.